Summary
Enterasys NAC Design Guide 3-13
5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis
dynamicallyredirectedtoaRemediationwebpagethatdescribesthecomplianceviolationsand
providesremediationsstepsfortheusertoexecuteinordertoachievecompliance.Aftertaking
theappropriateremediationsteps,the
enduserclicksonabuttononthewebpagetoreattempt
networkaccess,forcingthere‐assessmentoftheend‐system.Atthispoint,theEnterasysNAC
solutiontransitionstheend‐systemthroughtheentireNACcycle,re‐assessingthesecurity
postureoftheend‐systemtodetermineif
theremediationtechniques weresuccessfullyfollowed.
Iftheend‐systemisnowcompliantwithnetworksecuritypolicy,theNACControllerauthorizes
theend‐systemwiththeappropriateaccesspolicy.Iftheend‐systemisnotcompliant,theend‐
systemisrestrictedaccesstothenetworkbyassigningapolicytothe
end‐systemontheNAC
Controller,andtheprocessstartsagain.
Summary
Thedecisionwhethertodeployinlineorout‐of‐bandnetworkaccesscontroldependsonthe
infrastructuredevicesdeployedinyournetwork.Forsomenetworktopologies,inlineNAC
utilizingthe NACControllerappliancemayberequiredwhileforothernetworkconfigurations,
out‐of‐bandNACutilizingtheNACGatewayappliancemay
beused.
ThefollowingtablesummarizesfourNACusescenariosandtheirNACappliancerequirements.
TheEnterasysNACsolutioniscapableofimplementingnetworkaccesscontrolforallfouruse
scenariosaswellasenvironmentswithmixedusescenariosthatmayrequiretheconcurrent
deploymentofinlineandout‐of‐band
NAC.
.
Table 3-1 Use Scenario Summaries
Use Scenario Summary and Appliance Requirements
Scenario 1:
Intelligent wired access
edge
Summary:
Intelligent edge switches in the network access layer provide authentication and
authorization for connecting end-systems.
Appliance Requirement: NAC Gateway
The NAC Gateway appliance provides out-of-band network access control by
leveraging the intelligent edge switches as the authorization point for connecting
end-systems.
Scenario 2:
Intelligent wireless
access edge
Summary:
Thick Access Points (APs), or wireless switches with thin APs, provide
authentication and authorization for connecting end-systems.
Appliance Requirement: NAC Gateway
The NAC Gateway appliance provides out-of-band network access control by
leveraging the intelligent wireless infrastructure devices as the authorization
point for connecting end-systems.
Scenario 3:
Non-intelligent access
edge (wired and
wireless)
Summary:
Non-intelligent edge switches in the network access layer are not capable of
providing authentication and authorization for connecting end-systems.
Appliance Requirement: NAC Controller
Inline network access control is implemented by positioning the NAC Controller
appliance at a strategic point in the network topology as the authorization point
for end-system traffic.